Google has responded to the news stories posted last week at various news sites about the secretive data collection many apps on Google Play indulge in. Developers of Android apps now have 60 days to update their privacy polices and add notifications if their apps collect personal information such as your phone number and contacts or device information such as IMEI. If they do not comply Google will create warnings for them, which will be displayed prominently. The Register also reports that Google will include crash reports in this policy, requiring apps to notify users if the report will contain data not directly related to the app which crashed.

"If developers don't comply within 60 days, Google said, it will warn users via Google Play Protect “or on webpages that lead to these apps”."

It has been some time since I last looked at Opera, and while I used to be a big fan of the alternative web browser my interest waned around the time that they abandoned their own engine to become (what I felt) yet another Chrome (Webkit) clone. Specifically, it looks like the last version I tested out was 12.10. Well, last month Opera released version 40 with just enough of a twist to pique my interest once again: the inclusion of a free built-in VPN.

I (finally) got around to testing out the new browser today, and it works fairly well. While setting the default to share usage data is not ideal, offering to enable the ad blocker after installation is a good touch. The VPN feature is a bit more tucked away than I would like but still accessible enough from the settings menu. Further, once it is enabled, it is easy to turn it off and on using the icon in the search/address bar.

According to Opera, the built-in VPN (virtual private network) comes courtesy of SurfEasy – a company that Opera acquired last year. SurfEasy uses OpenVPN and 256-bit encryption and also lauds itself on being a no-log VPN (they do not maintain logs tracking users' usage). Opera is not currently imposing any restrictions on the free VPN built into Opera with bandwith and data usage not being capped. Not bad for a free offering! For comparison, I've used the free version of ProXPN on occasion (public Wi-Fi mostly), and while the VPN is for the entire PC (not just the browser like in Opera's case) they heavily throttle the download speeds to entice you to pay (heh).

In a quick test, I got the following results:

Ping (ms)

Download (Mbps)

Upload (Mbps)

No VPN

13

90.26

12.14

Opera VPN

108

89.72

12.06

ProXPN Basic

38

1.74

11.19

Considering the exit point was much further away (SpeedTest chose a Kansas test server, and it looks like the VPN server may have been in Houston, TX), the performance was not bad. Download and Upload speeds were only slightly slower, but (as expected) the ping was much higher.

Opera offers five locations for its free VPN: Canada, Germany, Netherlands, Singapore, and the United States.

Users can enable the VPN by browsing to opera://settings and clicking on Privacy & Security in the left hand list then checking the box next to "Enable VPN."

On another note, the included ad blocker seemed to work well (it apparently has already blocked 86 ads even though I only hit up a couple sites!). My only complaint here is that it does not make it as easy as AdBlock Plus to block/unblock specific elements (or if there is a way it's not intuitive). It is only a minor complaint though, and not really relevant for the majority of users.

I am by no means a browser benchmarker, but it feels fast enough when switching between tabs and loading websites. Fortunately, Michael Muchmore and Max Eddy put Opera through its paces and compiled the benchmark results from several synthetic tests if you are into the nitty-gritty numbers. From their data it appears that Opera is not the fastest, but by no means a slouch. The one test it fell hard on was the Unity WebGL benchmark, though it was not the only browser to do so (Opera, Chrome, and Vivaldi were all close with FireFox and Edge getting the top scores).

Other features of Opera 40 (41 in my case) include a personalized newsfeed that can be fed with any user-supplied RSS feeds, a new battery saver mode, hardware accelerated pop-out videos, Chromecast support, and a number of under the hood performance and memory optimizations (especially with more than 10 tabs open).

I am going to keep it installed and may switch back to using Opera as my daily browser. It looks like it has come a long way since Opera 12 and while it is similar to Chrome under the hood, Opera is doing enough to set itself apart that it may be worth looking into further.

As expected, Facebook has added some questionable features to the Oculus Rift and if any of it surprises you then you haven't been paying attention. The Register went through it to pull out a variety of terms than many may find questionable. Your usage will be tracked while you are using the headset and just like Facebook and many other social media apps it will use the data collected for targeted advertising. There does not seem to be any incognito mode, so think twice before using the Rift for certain applications unless you want some interesting adverts showing up on your Facebook page.

A Slashdot post points out a different concern for content creators, if you use the Oculus to create something original then while Oculus can't claim to own it, it can use it without your consent and without having to pay you for for using it. Again, this should not be surprising but if you weren't aware of the possibility, you should consider these T&C's before picking the Rift.

"THOSE OF a weak disposition should look away. News has reached us that face fun virtual reality machine, and eye of Facebook, the Oculus Rift has features that track things that people do, and use the information for the purposes of advertising."

Microsoft is revisiting an old issue with private browsing which we have seen too many times unfortunately. In 2010 Firefox's private browsing broke and left site visits on your computer and in 2013 Chrome went through the same issue. More recently it was discovered that when Chrome interacted with an NVIDIA GPU, sites could also be retrieved. Now it is Edge's turn, the browser stores your page visits in tables under <user>\appdata\local\microsoft\windows\history even when using InPrivate Mode. This will be resolved soon but for now if you are secretly ... ah, shopping for a loved one you might want to use a different browser, VPN or other measure. There is more info over at The Inquirer.

"BURGEONING ORWELLIAN nightmare corporation Microsoft has once again been found lacking in the security department, this time for the new and improved Edge browser in Windows 10."

On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.

A little too much sharing...

There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.

When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.

Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.

But this is still quite bad.

Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.

It's probably a simple mistake to make, especially since Valve seems to blame a third-party for the configuration issue. On the other hand, that also meant that Valve structured their website such that sensitive information is in the hands of third-parties to properly cache. That might have been necessary, depending on their browser compatibility requirements, but I would hope that it's something Valve restructures in the future. (For instance, have the caching server store the site's framework, and fill in the individual's data with a JavaScript request to another, uncached server.)

UPDATE (Nov 19th, 12pm EST): Ed Bott emailed me to clarify a few points. First, PINs for BitLocker are not required and will not be backed up to OneDrive. I knew that PINs were not required, but I was trying to say "would there be a way that a user could use BitLocker without giving all the necessary bits to OneDrive". Apparently, using PINs is one of those ways. He also claims that you can manage your own keys by changing them and storing them locally.

He also commented on the HIPAA remark. He claims that Windows 10 is HIPAA compliant, and the reason why it was not included in the statement is because the question wasn't asked. Again, if applicable, check with your vendors and other support.

Okay so one of the major concerns with Windows 10 is how it handles your private data. I gave my thoughts on the topic a couple of weeks ago, which was a bit critical of Microsoft. I said that there are definite concerns that should be disclosed, but it is not enough of a concern to stop using it and switch to Linux or something. At least, not yet.

The foremost change is that Microsoft specified that only OneDrive, Outlook, and Skype files and content, private or public, are subject to disclosure to law enforcement. The previous wording looked like it applied to all files on Windows 10. Full access to all files sounds like something the law enforcement would want, but Windows 10 does not provide it.

Another change involves BitLocker. Recovery keys are synchronized to OneDrive “to allow recovery on personal devices”. I am not sure if this also includes PINs, for devices configured to use those, but it would be crappy if it did. Regardless, the privacy statement now says “Microsoft doesn't use your individual recovery keys for any purpose.” This raises two concerns: Why did they specify “Microsoft” and why did they qualify “recovery keys” with “individual”? My assumption is that this is just an awkward trait of the English language, but it could exempt sending batches of keys to third parties, such as governments, especially if it counts as a OneDrive personal file. Again, it is probably just an awkward wording though.

A final point for me is that Telemetry, when set to “Basic”, satisfies FINRA, SEC, and FTC regulations. Oddly they don't specify HIPAA, but you probably shouldn't be listening to tech reporters (yes including me) for advice about securing health insurance and patient data. You should have more reliable channels for that sort of inquiry.

Kansas City got Google Fiber back in 2012 and not surprisingly a lot of users jumped to this ~$70 service from their current ISPs the moment they could. Two of the incumbent ISPs suddenly came to the realization that there was demand for broadband at this speed and turned on some of their already laid and configured fiber connection so they could start to offer actual broadband and now several years later AT&T discovered that they would need to do the same to be able to attract customers in that market. The fiber has lain dormant for quite some time as most ISPs have argued that there was no demand for that level of connectivity; at least until Google offered it and customers left them in droves proving that the demand had always been there.

"We've moved quickly to bring more competition to the Kansas City area for blazing-fast Internet speeds and best-in-class television service," said John Sondag, president of AT&T Missouri, without apparent irony."

GM's Predix asset management platform has been used for a while now, after they came to the realization that they were in the top 20 of the largest software developers on the planet. They found that by networking the machines in their factories as well as products that have been shipped to customers and are seeing active use that they could increase the efficiency of their factories and their products. They were aiming for 1% increase, which when you consider the scale of these industries can equate to billions of dollars and in many cases they did see what they had hoped for.

Now Cisco and Intel have signed up to use the Predix platform for the same results, however they will be applying it to the Cloud and edge devices as well as the routers and switches Cisco specializes in. This should at the very least enhance the ability to monitor network traffic, predict resource shortages and handle outages with a very good possibility of a small increase in performance and efficiency across the board. This is good news to those who currently deal with the cloud but it is perhaps worth noting that you will be offering up your companies metrics to Predix and you should be aware of any possible security concerns that may raise because of that integration to another system. You could however argue that once you have moved to the cloud that this is already happening.

Mozilla Labs is researching a new approach to the problem of privacy and targeted advertising: allow the user to provide the data that honest advertisers intend to acquire via tracking behavior. The hope is that users who manage their own privacy will not have companies try to do it for them.

Internet users are growing concerned about how they are tracked and monitored online. Crowds rally behind initiatives, such as Do Not Track (DNT) and neutering the NSA, because of an assumed promise of privacy even if it is just superficial.

DNT, for instance, is a web developer tool permitting honest sites to be less shy when considering features which make privacy advocates poop themselves and go to competing pages. Users, who were not the intended audience of this feature, threw a fit because it failed to satisfy their privacy concerns. Internet Explorer, which is otherwise becoming a great browser, decided to break the standard by not providing the default, "user has not specified", value.

Of course, all this does is hands honest web developers a broken tool; immoral and arrogantly amoral sites will track anyway.

Mozilla Labs is currently investigating another solution. We could, potentially, at some point, see an addition to Firefox which distills all of the information honest websites would like to know into a summary which users could selectively share. This, much like DNT, will not prevent companies or other organizations from tracking you but rather give most legitimate situations a fittingly legitimate alternative.

All of this data, such as history and geolocation, is already stored by browsers as a result of how they operate. This concept allows users to release some of this information to the sites they visit and, ideally, satisfy both parties. Maybe then, those who actually are malicious, cannot shrug off their actions as a common industry requirement.

The Electronic Frontier Foundation (EFF) released its annual Who Has Your Back report, which highlights Internet companies that (do or do not) defend user’s online privacy rights. The EFF looks at the policies and actions of several major Internet companies, including ISPs, cloud storage, email, and social networks (among others). The companies are graded on various criteria such as whether the companies require a subpoena or warrant before releasing information, lobby congress for stricter data privacy laws, and defend their users’ privacy rights in court.

This year, the EFF found some surprising results. Google is no longer the leader of the pack due to no longer providing transparent data requests to users on the same level that it did in the past. Twitter and ISP Sonic.net are actually the top ranked companies. In a less surprising twist, Verizon is actually the worst company of the bunch along with MySpace with failing grades in each category! And that is just the tip of the spear, with companies like Apple and AT&T being worse than I thought and Foursquare and WordPress doing better than I expected.

Data privacy is of supreme importance, and i hope that these EFF reports prod all companies to do better (and note the companies that are doing right by their users). It is definitely worth a read. You can find the full report in PDF form here.

Do you use any of these services, and are you happy with their data privacy efforts?